======================================================= = phpSecurePages version 0.31HM beta = = http://phpsecurepages.site.voila.fr = ======================================================= ------ introduction ------ - Easy security for your pages! - Make different groups of users each with their own rights. - Identify the user and use his/her data in your site. - Can be used with or without a database (MySQL, PostGreSQL, Oracle or MS SQLServer), or with an LDAP dictionary. - Fully customisable screens and configuration. - Multiple-language support. - Works with PHP3 (except for other database than MySQL and LDAP) and PHP4. - Access can be logged in log files. With this web application installed, you'll be able to secure your pages in a very fast and simple way. Just add 1 row of PHP code to your page, and access is only for those that are allowed. You can implement it with your existing database or LDAp dictionary, or just put the data in the configuration file. Do you want to have different levels of security? No problem, just create different user groups and give them their own rights. Furthermore, the data of the user (login name, password, user level and ID) is after login available to be used in your pages. Do you want to change the look of the login screen? No problem, just change the HTML code in 'interface.php' to create your own design. And don't forget, you can customize this program to use your own native language. ------ what's new ------ Look in the file changelog.txt for the latest changes Also check my site for a list of Frequently Asked Questions: in French http://www.ifrance.com/mercusot/phpSecurePages or http://www.phpSecurePages.com/ for vanilia version ------- requirements ------ - For PHP3 phpSecurePages needs MySQL installed on the server and two required tables created. - For PHP4 MySQL is optional, phpSecurePages can be used with or without MySQL, PostGreSQL, Oracle,MS SqlServer or an LDAP dictionary when using PHP4. This last version has been tested with Apache 1.3 and 2.0.40, MySQL 3.23.54 and 4.0.15, PostGreSQL 7.4.2, Oracle 9iDB, Oracle's OID and MS-Active Directory for LDAP, PHP 4.2.2 and 4.3.3 ------- installation ------ - Extract the files in the directory 'phpSecurePages' on your server. - Make sure that all .php files are handled by the server through the PHP parser. - Edit the configuration in the file 'secure.php' --> (see section 'configuration'). - Put the required lines of code on your HTML pages --> (see section 'workings'). - If you use a database (MySQL required for PHP3) then create the required tables. --> (see section 'SQL Databases'). - To use LDAP dictionary, Edit the configuration in the file 'secure.php' --> (see section 'LDAP dictionary'). ------- configuration ------ Edit the file 'secure.php' to change the configuration. Make sure you read the comments added on each row. - First provide the required information about the installation of this program. - Then choose if you want to use a database, LDAP dictionary or just put the login data in this configuration file (this can be used for PHP3 and for PHP4, PHP3 however still needs two MySQL tables for handeling session-data). If both are set to 'true', then the database is used. Note that it is possible to use more then 3 accounts of data in the configuration file. Just add more blocks of variables, while incrementing the indexnumber of the array. - Enter the required information for your chosen method. - The usage of user levels is optional. Just leave it empty if you decide not to use it. - The same is true for user ID, they are also optional. Just leave it empty if you decide not to use it. - Do not change the information below 'End of phpSecurePages Configuration' or in the other PHP files, unless you know what you're doing. After that, add the required code to your HTML pages as described in the section 'workings' below. ------ workings ------ For examples of the described workings, look into the code of the provided test files. These are not necessary for the working of this application, and can safely be deleted if you might want too. To make a page safe, without the use of user levels, simply add the following line as the very first line of every page: Above line is only correct with a default installation of course. If you installed the program elsewhere on the server, make sure you change the address accordingly, so that it points to the configuration file. When someone now tries to view this page, he/she is first asked to login, before the page is showed. --- workings: user levels --- If you want to use different user levels, then you must first group your users in different groups and give a number to each group (don't use 0). Then decide which group is allowed to view each page. Instead of the above line, add the following line (in which you put the allowed user groups) at the top of each page: Example: If you have 4 user groups and group 1 and 3 are allowed to view a certain page, then the code would be as followed: Furthermore, since version 0.19 it is also possible to supply a minimal required user level. If the user has a higher level than the supplied number, he is also allowed access. To accomplish that all users of level 5 and higher are allowed, the following code should be used: Both methods can be used simulationously, for instance the following code gives access to the users of level 2, 4 & 6 and higher: --- workings: logout --- Note: Below code is new since version 0.15b, alter your old code if you upgrade from an older version.To log out, simply make a link to a page, on which you add the following line of code (here it is also necessary to change the location if you installed the program in an other directory): --- workings: variables --- After the program has run, the following variables are set, and can thus be used in the remaining code of your page. Use for instance to write the user's ID code, or use it in a query to a database to gather more information about this user. login name: $login password: $password user level: $userLevel ID code: $ID Note that if MD5 encryption is required in configuration file, the $password variable will contain the encrypted password (it is stored as is in the database or configuration file), except when using LDAP where the shown password will stay there clearly. Also note that in the case of an LDAP dictionary the variable $userLevel become an array because the attributes of LDAP dictionary can be multivalued. --- workings : log file --- When noLogs variable is set to 'false, traces of connexions and disconnexions are kept in sub-directory logs/ of $cfgProgDir directory. It must be created and readable/writeable for the web server. There is one log file for a month. Comma separated values are : date action (login, logout or error message mnemonic) login used userlevel if there is one ID code if exists and identified IP addressdu of client site (with reverse DNS name) calling page (PHP variable HTTP_REFERER) called URI (PHP variable REQUEST_URI) Browser type (PHP variable HTTP_USER_AGENT) Script currently executing (PHP variable PHP_SELF) ------- SQL Databases------ MySQL => If you desire to use MySQL to store the login / password combinations, I suggest you use a database with the following structure. Note however that you can also use other database, table and column names. They can be changed in the configuration file. $cfgTypeDB variable must be set to 'MYSQL' in configuration file secure.php # MySQL-Dump # Database: phpSecurePages # Table structure for table 'phpSP_users' CREATE TABLE phpSP_users ( primary_key MEDIUMINT UNSIGNED NOT NULL AUTO_INCREMENT, user VARCHAR(50) NOT NULL, password VARCHAR(32) NOT NULL, userlevel TINYINT(3), PRIMARY KEY (primary_key), KEY (user) ); If you use phpSecurePages on a server with PHP3, the following two tables MUST be created. These two tables are not used with PHP4. The above table remains optional. Unlike the above table, only database and tables names can be changed (not column names). # MySQL-Dump # Database : phpSecurePages # Table structure for tables 'phpSP_sessions' and 'phpSP_sessionVars' CREATE TABLE phpSP_sessions ( id CHAR(20) NOT NULL, LastAction DATETIME DEFAULT '0000-00-00 00:00:00' NOT NULL, ip CHAR(15) NOT NULL, userID MEDIUMINT(9), PRIMARY KEY (id), KEY id (id), UNIQUE id_2 (id) ); CREATE TABLE phpSP_sessionVars ( id MEDIUMINT(8) UNSIGNED DEFAULT '0' NOT NULL AUTO_INCREMENT, session VARCHAR(20) NOT NULL, name VARCHAR(32) NOT NULL, intval INT(10) UNSIGNED, strval VARCHAR(100), PRIMARY KEY (id), KEY sessionID (session), UNIQUE id (id) ); PostGreSQL => If you desire to use PostGreSQL to store the login / password combinations, I suggest you use a database with the following structure. Note however that you can also use other database, table and column names. They can be changed in the configuration file. $cfgTypeDB variable must be set to 'POSTGRES' in configuration file secure.php Caution, the table name must be set in lowercase to be correctly parsed. # Database: phpSecurePages # Table structure for table 'phpsp_users' CREATE TABLE "phpsp_users" ( primary_key SERIAL PRIMARY KEY, login varchar(50) UNIQUE NOT NULL, password varchar(32) NOT NULL, userlevel smallint, CHECK (primary_key > 0) ) WITHOUT OIDS; Note that the "user" column as the replaced by the "login" one. "User" is a PostGreSQL reserved keyword. Remember to change the secure.php configuration file accordingly. ORACLE => If you desire to use Oracle to store the login / password combinations, I suggest you use a database with the following structure. Note however that you can also use other table and column names. They can be changed in the configuration file. Note however that they must be declared in uppercase to be correctly parsed. $cfgTypeDB variable must be set to 'ORACLE' in configuration file secure.php # Table structure for table 'phpSP_users' -- Create sequence create sequence SEQ_PHPSP_PKEY minvalue 1 start with 1 increment by 1 NOCACHE; -- Create table create table phpSP_users ( PRIMARY_KEY integer not null, LOGIN VARCHAR2(50) not null, PASSWORD VARCHAR2(32) not null, USERLEVEL smallint ); -- Create primary and unique key constraints alter table phpSP_users add constraint KEY_PHPSP_USERS_PKEY primary key (PRIMARY_KEY) using index; alter table phpSP_users add constraint KEY_PHPSP_USER unique (LOGIN) using index; -- Create check constraints alter table phpSP_users add constraint chk_phpsp_users_pkey_positive check (primary_key > 0); -- Create Triggers create or replace trigger TRIG_PHPSP_USERS_PKEY before insert on phpSP_users for each row begin select SEQ_PHPSP_PKEY.nextval into :new.PRIMARY_KEY from dual; end; Note that the "user" column as the replaced by the "LOGIN" one. "User" is an Oracle reserved keyword. Remember to change the secure.php configuration file accordingly. MS SQLServer => If you desire to use MS SQLServer to store the login / password combinations, I have no suggested structure since I've not tested it. But the two above examples will give you an idea of the correct structure for MS SQLServer. Note however that you can also use other database, table and column names that the default ones. They can be changed in the configuration file. $cfgTypeDB variable must be set to 'MSSQL' in configuration file secure.php ------- LDAP Dictionary ------ The global philosophy is different with LADP than with an SQL database in phpSecurePages. We do not try to get back the password of a user to compare it with entered one, but to authenticate via the dictionary by using successively all Distinguished Names found for the entered username coupled with the entered password until the dictionary accepts the authentification (it seems to be the process used by Windows to authenticate when it is based on Active Directory). Then we look for the attributes corresponding to users' levels and to ID in the corresponding entry. Warning, the attributes of an LDAP dictionary can be multivalued, so the variable $userLevel is thus an array when we use LDAP. ID is still an only variable by definition. Note the definition of $cfgLdapFilterforDN which is in fact the filter used during ldap_search and thus must have a correct syntax and use the boolean operators in the format described in the LDAP documentation LDAP (look at http://developer.netscape.com/docs/manuals/directory/41/ag/find.htm forfurther informations on filters). The definition between simple quotes allows the use of the variable $login (entered username), in the serach filter without interpreted it immediatly. ------- language ------ This program can give output in multiple languages. Change the variable $language in the configuration file 'secure.php' to use another language file. At this moment the following languages are supported: - Arabic - Brazilian-Portuguese - Bulgarian - Catalan - Czech - Chinese Big5 - Chinese GB - Danish - Dutch - English - Estonian - Euskara - Finnish (2 versions) - French - German - Icelandic - Indonesian - Italian - Japanese (2 versions) - Latvian - Lithuanian - Norwegian - Polish - Portuguese - Romanian - Russian - cp1251 (for windows) - Russian - KOI8-R (for unix) - Serbian - Slovak - Slovenian - Spanish - Spanish (Latin America) - Swedish I would love to receive new language files. If your native language is not present yet, please translate the file 'lng_english.php' and send it to me, so I can add support for it in this program. Note that if the sub-directory images/ contains a picture named like _enter.gif and/or _cancel.gif, there will be used in place of enter.gif and cancel.gif (an example is delivered with french language). This picture must be 23 pixels high and under 80 pixels long. ------- security ------ This application is meant to block everyone from you pages, who doesn't know the right login and password combination. When properly installed it is not possible to login to your site without this data. However, this does not provide a 100% secureness to your site (personally I don't think that this is possible on the Internet). Let me identify some issues you should be aware of, if you try to secure your site. (None of these issues can be attributed to this program. They are about security of your site in general). - If your pages are not parsed by a PHP parser, there is no password checking taking place. Everything on the page can then be viewed by everyone. Make sure you have configured your server to parse the PHP files. - If somebody is able to crack into your server, they can most likely also gain access to the files stored on it. If so, this security is also passed. Make sure you have a secure server and that your applications are updated to the newest version. - Login names and passwords are send over the Internet in a non-secure manner. This means that if somebody is tapping the information, they can get hold of the login names, the passwords and the data on the pages. To create a secure connection (one with encryption), contact your server provider. - MD5 encryption password must be obtain in setting the $passwordEncryptedWithMD5 parameter in configuration file. They must be stored encrypted in the database or configuration file (Useless with LDAP). ------ license ------ Free for non-commercial use: The software may be used without fee if such usage is limited to non-commercial pursuits. It is explicitly forbidden, to sell this software or otherwise make money out of it, without approval of the author. To use this software on a commercial basis as described above you must contact the author for terms. If this software is used for free, the copyright line in the file interface.php may NOT be removed or altered in such a way that it becomes less (or un-) readable. For commercial usage it is now possible to buy a license online. For a small site the price is $20 dollar. Go to Paul Kruyt's site for the easiest way to get it. Contact him at phpSecurePages@xs4all.nl if you have any questions about licenses. ------ disclaimer ------ By using this application, the user agrees that he/she is self responsible for the safety of his/her pages. The writers of this program does not accept any responsibility for the safety of your pages, and the possible loss resulted by the lack there off. The software is provided "as is", without warranty of any kind, express or implied. In no event shall the authors be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software. ------ final ------ Note however that this application is still in beta development. Therefor this author cannot guarantee that it is completely bug- and fault-free. However, be assured that extensive testing has been taken place before this application was distributed. The following persons helped Paul Kruyt by testing or by coding, everyone a big thanks: Joshua Macadam, dfocus, Arno van de Kolk, Alejandro Vásquez, Richard M. Pavonarius, Fabiano R. Prestes, Matteo Bettineschi, Christian Schims, R. Tenenbaum, Stéphane Hoyau, Manuel Soriano, Dean Lin, Manuel Herrera, Mercury He, Henrik Blicher Hansen, Art Koval, Sorin Sfirlogea, Joan Manel López, Oskar, Dimiter Stankov, Frantisek Repkovsky, Markus Bernhard, Jan Hunter, Ingimundur Gunnar Nielsson, Martin Hubacek, Per Egil Kummervold, Panu Artimo, Markku Lappalainen, Suryo Sucipto, Janez Vrenjak, Mitsushi Sugimoto, Andris Jershovs, Marek Kotsulim For this last version, thanks to The MetoS & PoPoV TeaM for root of database abstraction script. The latest releases, more information and a demonstration setup can be found at: unofficial french site : http://www.ifrance.com/mercusot/phpSecurePages in english for vanilia version at : http://www.phpSecurePages.com More information can also be found at FreshMeat.com: http://freshmeat.net/projects/phpSecurePages/ Greetings Hugues Mercusot